Hospital Hack Spotlights How Medical Devices and Systems Are at Risk

A hospital in LA was recently the target of "ransomware."

ByABC News
February 18, 2016, 5:26 PM

— -- The recent breach of a computer system at a hospital in Los Angeles is highlighting the dangers of hackers targeting medical data and devices.

The Hollywood Presbyterian Medical Center paid nearly $17,000 to hackers after their communications were shut down in a "ransomware" attack earlier this month, hospital officials told ABC News on Wednesday. The hospital paid the fee in 40 bitcoins to get access to their system again, officials said. Bitcoin is an electronic currency often used for online transactions.

Hospitals and medical providers can provide a trove of valuable information that hackers are eager to get their hands on, experts said.

Thomas Lewis, Partner-in-Charge at LBMC Information Security, said hospitals have become more of a target in recent years as Wi-Fi has made them more vulnerable to data breaches or being encrypted with "ransomware" -- a program that shuts down a system until a ransom is paid.

"Hospitals are a new target" Lewis told ABC News, explaining there are often multiple ways for a would-be hacker to access the system.

"Wireless networks are scattered throughout a hospital connecting their corporate systems and their medical systems, providing a target-rich environment," Lewis said. "This situation, when coupled with open physical access that hospitals have to maintain, provides a huge challenge for securing the environment."

As devices become more connected through networks, there have also been concerns that hackers could target devices implanted in humans, such as insulin pumps or pacemakers. A 2013 report found that 300 devices made by 40 manufacturers may be vulnerable due to password settings that could "permit privileged access to devices" that would normally be used only by a service technician, according to the Department of Homeland Security's Industrial Control Systems Cyber Security Emergency Response Team.

These devices included ventilators, anesthesia devices, drug infusion pumps and external defibrillators. The team worked with the U.S. Food and Drug Administration and manufacturers and fixed the password-related vulnerabilities identified. The team clarified that there was no evidence that anyone has been hurt by a cyber-attack on a medical device.

Wade Woolwine, director of Threat Detection and Response at the security company Rapid 7, said hackers are more focused on getting data from hospitals rather than inflicting harm on patients.

"Attackers, more than any other time in the past, operate as a business -- a very dark market business, but still a business," Woolwine explained. "There isn't a whole lot of money in disrupting someone's pacemaker."

However, this does not mean that implanted devices are free from harm, Woolwine said, noting that after vulnerabilities come to light, "some of the manufacturers have responded with implementing better security controls."

A larger concern, Lewis said, is that there is a chance a hacker attempting to get patient data could accidentally knock out medical devices connected to the Wi-Fi network, such as an MRI or X-ray machine.

Hackers currently don't seem to be interested in going after implantable devices, Lewis said, but it might be more of a concern in a "national security" setting.

"They may be targeting a high-profile figure, but that is usually very rare," he explained.

Both Lewis and Woolwine said it is imperative that hospitals and medical providers prepare for these attacks and go through security measures every year to protect themselves and safeguard patient data.

"If you steal money, you know it's gone," Lewis said. "But when you steal data, you never know it's gone."